Have Businesses Learned the Lessons of September 11?

Now that a year has passed, what impact have the events of last September 11, 2001, had on companies' business-continuity and disaster-recovery plans? Many anecdotal reports, particularly from vendors of storage-related technology, suggest that although 9-11 focused senior management's attention on the need for an effective business continuity plan (BCP), management hasn't backed that interest with budgeted dollars. Several recent surveys support this view.

This summer, AT&T surveyed more than 1000 businesses nationwide, each with 100 employees or more. AT&T reported that 25 percent of the midsized and large companies that it queried still don't have BCPs and disaster-recovery plans in place. Moreover, of the companies that have BCPs, 27 percent haven't reviewed or evaluated those plans in the past year, and 19 percent haven't tested their BCP within the past 5 years. (You can read an executive summary of the report at the URL below.)

SunGard Availability Services conducted a similar survey this spring. (SunGard Availability Services is a division of SunGard that provides availability systems and solutions. SunGard's survey indicated that 80 percent of US companies don't have sufficient solutions in place to address network outages or systems failures that interrupt the flow of mission-critical data. New York research firm David Michaelson & Company conducted SunGard's poll, and SunGard CEO Jim Simmons observed that of the 200 companies that had sales of more than $5 million, few planned, prepared, and tested backup systems to keep business data available. SunGard also reported that 39 percent of the companies with sales of less than $20 million don't have written BCPs. In contrast, 74 percent of the companies surveyed with sales of more than $100 million have written BCPs.

Why do so few companies have business-continuity strategies in place, and who's responsible for a BCP? Strohl Systems Group, a provider of continuity planning software and services, conducted a survey that indicates that a BCP is a relatively new idea for many enterprises. Of the 836 respondents, 64 percent indicated that their companies had had a BCP in place for 5 years or less, and 21 percent reported that they had developed a BCP in the past year.

At present, organizations often assign responsibility for a BCP to different departments. So although 36 percent of the Strohl survey respondents identified IT as the department responsible for their BCP, 18 percent created BCP departments. Others assigned the BCP to risk management (11 percent), security (8 percent), or the financial department (6 percent).

In 15 percent of the organizations, the chief information officer (CIO) was the executive in charge of the BCP, and in 30 percent, a vice president was responsible. According to the Strohl survey, BCP budgets are small, with 53 percent of those queried revealing that the BCP budget represented less than 4 percent of their overall IT spending. Overall, the survey indicates that the BCP can fall through the cracks in many organizations.

So what are some of the key discoveries that companies made following the events of 9-11? According to a study the consulting arm of Deloitte & Touche conducted, among the most serious shortcomings that companies found in their BCP was that company directories and human resources (HR) databases were inaccurate, incomplete, or inaccessible. These shortcomings would make it very difficult for companies to account for their employees and to reestablish communication throughout the organization in the event of a disaster.

Technologies that businesses once considered noncritical have proven to be vitally important. Although many companies were able to recover their major data-center operations within a reasonable time frame, other companies found it more difficult to recover data distributed throughout the enterprise—particularly data stored on laptops and PCs. But investment in continuous availability technologies paid off. According to Deloitte & Touche, companies that had realtime failover capabilities in place were able to return to operation sooner.

The most important lesson businesses learned is that they have available technology to implement effective business-continuity and disaster-recovery programs. Now, management needs to step up to the plate.